Issues with setting scom to monitor DMZ machines

I had this exact same thing when I deployed mine.

First, when you create the cert in scom, just create it with the short name, not an FQDN.

Do the remainder of the steps.

When you get to the last step, run the MOMCertImport.exe from an elevated prompt, with nothing specified. It will pop open a selection box, select the imported certificate.

and it should work.

I was able to import it but still unable to build trust relationship between DMZ VM and SCOM server. Here are the logs from DMZ VM:

The OpsMgr Connector cannot create a mutually authenticated connection to SRV-SCOM-MSS.slbntdom.neptunetg.com because it is not in a trusted domain.

and this is the log from SCOM server :

The specified certificate could not be loaded because the Subject name on the certificate does not match the local computer name
 Certificate Subject Name : SCOMTestvm
 Computer Name            : SRV-SCOM-MSS.slbntdom.neptunetg.com

another error log that could be related

A Certificate for use with Mutual Authentication was specified, but that certificate could not be found.  The ability for this Health Service to communicate will likely be impacted.

I attached the screenshot of Certificate console on VM as well


p.s SRV-SCOM-MSS is the scom server and CA

Sorry, I did not explain that very well.
Issue a certificate from the CA for the DMZ machine, using just the server host name.. Not a FQDN.

The SCOM server can be fully qualified, just not the DMZ.

Copy that standalone cert to the DMZ machine, import it into certificates, and run that command MOMCertImport.exe from an elevated prompt.

Hi Chris,
SO i did do follow all those steps, however i still get trust relationship error in the logs and my SCOM cant connect to dmz machine.

Question for that guide. It says that i need to manually  add a domain suffix to my DMZ machine. What is that mean? Like literally just rename my DMZ CN to computer name.domain name.com ?

Sure, good question.
So it means to go into the NIC Ethernet Properties, select IPv4 properties. Then select Advanced.

Then select the DNS tab, then fill in a suffix in the lower box.

While it does indicate to do this, In my experience, it doesn't really make a difference..
As long as the HOSTNAME of the DMZ machine, matches the "common name" on the certificate, it will work.

Thanks Chris. If it is not necessary i will first try without the domain suffix. However,
On the guide it Also says that it is assumed pre requisites are done before starting the guide

Pre-reqs:

It is assumed that you have AD CS installed, an HTTPS binding is being used, and its associated certificate has been installed. Information about creating an HTTPS binding is available in the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA.

Which certificate is being talked about already installed? My CA and SCOM server are same. Does that mean i can assume my Certificate is already installed and that pre requisite is completed.

Sure,
ok, so in this context, what it is saying is that you have PKI environment already setup and working. (CA, and/or SubCA if applicable)
That you are connecting to the SCOM server over HTTPS.. Therefore you have issued a web certificate to the SCOM server from the CA/SubCA, and installed that signed web certificate for SCOM into IIS on the SCOM server.

If you have done all that, then yes, you have completed the pre-req.

So in your example, you indicate the servers are the same system. So you still have to generate a web cert for IIS, from the CA (Local Box) - and install that web cert into IIS, to enable the HTTPS binding.

Just an FYI though - it is generally a bad practice to install anything else on your CA. This machine should be entirely standalone, with no other services running on it that aren't directly related to or in support of Certificate Services.

Chris i see this red mark when i go to my SCOM/CA server page. Is this a problem ? or can this be ignored.

it means the server name / FULL URL doesn't match the common name on the certificate.

To elaborate: lets say you want to type https://myca.mydomain.net into your browser.
The certificate needs to be created where the common name is set to : myca.mydomain.net

In you picture, I can see you've entered https://srv-scom-mss
however, in the CA banner, the full server name is : srv-scom-mss.slbntdom.neptunetg...etc...

I see, but chris would that cause problems with issuing certificate to other DMZ machines? like i am still able to issue the certificates from that URL. Just dont know if that red popup is critical or not.

Sorry if this is a silly question.

no, it wouldn't cause a problem, its not critical. it will still issue certificates fine.

Heh Neptune, did you ever get this sorted?

No, i was not able to get the SCOM to trust the DMZ machines